Appsec Development: Keeping it all together at scale

At Snowflake, the rapid growth of the company necessitated a shift from a centralized, ad-hoc security review process to a more scalable and distributed model. Initially, security reviews were handled informally, leading to significant backlogs and delays. The solution involved integrating security into the software development process by empowering software engineers to take ownership of security through the introduction of Security Partners, who are engineers trained to handle security within their teams. This decentralized approach aimed to make teams more autonomous and reduced the reliance on the central security team. Despite initial successes, challenges persisted, such as inconsistencies in threat modeling and increased time spent on security assessments. To address this, a risk assessment process was developed to categorize projects by risk level, allowing low-risk projects to bypass extensive threat modeling, thereby streamlining the security review process. The company also focused on improving tools and processes, emphasizing the importance of collaboration between security engineers and software engineers. The ongoing effort is to make security reviews efficient and to embed security considerations early in project planning, ensuring that the process supports the business's growth without becoming a bottleneck.